Friday, March 09, 2007

ICANN Factsheet on last DNS root server attack

Yesterday ICANN published an interesting article about last attack of root servers (6 February 2007): see http://www.icann.org/announcements/announcement-08mar07.htm . The paper is not so detailed and technical as one should expect, anyway it is worth to read it.

It seems that also the remaining root servers should move to anycast. I think this is good, but it will works reliable with TCP? Do someone use TCP to query DNS servers? Why is it not disabled? It seems that all root servers accept TCP ( dig @l.root-servers.net. . NS +tcp).

A side note: as you can see, root servers don't give you yet the IPv6 addresses of root servers. Now they do some test, prior to broke the root server 512-bytes packet rule. We are still away to the full IPv4/IPv6 inter-operative nets.

The last recommendation is: "ISPs should only accept DNS queries from trusted sources (i.e., their own customers) rather than allow anyone to use their servers." . This rule (on recursive queries) is already a well know rule, and I I think it is less problematic of mail-rely (ev. with SPF), but on the other side, we are moving to the point that we should trust our ISP and our ISP will firewall "non-proxied" traffic.

As last point, the fact sheet cite two wikipedia articles. Wikipedia is so good, or there are not better (updated) documentation on the net?

1 comment:

Ben Hutchings said...

You need TCP for queries and responses larger than 512 bytes, though I don't know whether these are ever needed at the root servers.

TCP connections from a unicast to an anycast address should work so long as routing from the unicast address is stable over the lifetime of the connection, but it does seem like the two aren't fully compatible.